Cloud Computing James Fanning, Ph.D. Chief Engineer and VP Enterprise and Mission Solutions Business Unit Science Applications International Corporation James.J.Fanning@ 07 DEC 2011 NATIONAL SECURITY ENERGY & ENVIRONMENT HEALTH CYBERSECURITY
Introduction Cloud-First strategy, part of the federal 25-point IT plan and motivations Important role of NIST Definitions Reference architecture Federal Information Security Management Act (FISMA) Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) Business use cases (BUCs) Why, when, and where does it make good business sense to migrate to a cloud? Cross-cutting business use cases What business functions make sense? Role of GSA infrastructure-as-a-service (IAAS) and email-as-a-service (EAAS) Late-breaking news from the Cloud PMO - GSA NIST = National Institute of Standards and Technology GSA = General Services Administration PMO = Project Management Office 2
What Is the Cloud and Where Is It Useful? Business Week The Wall Street Journal Economist.com Gartner WashingtonPost.com FT.com Washington Technology TechWorld The Seattle Times The New York Times PDFzone >>> Information Week National Public Radio WIRED Technology Review 4
Federal Government Drivers and Trends: 25-Point Plan, Including Cloud-First Strategy (Dec. 9, 2010) >> Feb 8, 2011 PART I: ACHIEVING OPERATIONAL EFFICIENCY A. Apply Light Technology "and Shared Solutions 1.Complete detailed implementation plans to consolidate at least 800 data centers by 2015 2.Create a government-wide marketplace for data center availability 3.Shift to a Cloud First policy 4.Stand-up contract vehicles for secure IaaS solutions 5.Stand-up contract vehicles for commodity services 6.Develop a strategy for shared services PART II: EFFECTIVELY MANAGING LARGE- SCALE IT PROGRAMS. Cloud First Strategy Begins immediately with three (3) parts: Use commercial cloud technologies where feasible Launch private government clouds Utilize regional clouds with state and local governments Default to cloud-based solutions 3.1 Publish cloud strategy Federal CIO will publish a strategy to accelerate the safe and secure adoption NIST will facilitate and lead the development of standards 3.2 Jump-start the migration to cloud technologies required to identify three must move services and create a project plan for migrating each of them to cloud solutions and retiring the associated legacy systems. Of the three, at least one of the services must fully migrate to a cloud solution within 12 months and the remaining two within 18 months. 5 NIST = National Institute of Standards and Technology CIO = Chief Information Officer
IT Memorandum Examples 6
The Spending Motivation Source: Federal Cloud Computing Strategy, FEB2011, Appendix 1: Potential spending on cloud computing by agency. Agency estimates reported to the Office of Management and Budget (OMB). 7
The Utilization Motivation Distributed Component-Orientation Virtualized Layer-Orientation Automated Service-Orientation POWER: Computers typically require 70% of their total power requirements to run at just 15% utilization. Source: Gartner Group, Cost of Traditional Data Centers (2009), and Data Center Efficiency (2010). 8
Primary Activities Within the Federal Cloud Project Management Office (PMO) Apps.gov FedRAMP Federal Data Center Consolidation Initiative Infrastructureas-a-Service (Development) Softwareas-a-Service (Email) Platformas-a-Service (Geospatial) FDCCI First federal storefront offering commoditized cloud services Authorize once, use many approach to security for cloud service providers Assist agencies to consolidate at least 800 data centers by Fiscal Year 2015 Commodity computing resources - GSA BPAs, DISA RACE Cloud email to be made available (Awards now spring of 2012 ) Federal Geographic Data Committee (FGDC) and GSA GeoCloud Sandbox Initiative FedRAMP (Federal Risk and Authorization Management Program) is a trademark of the United States General Services Administration in the U.S. and/or other countries. 9 Business Use Cases Addressed Here GSA = General Services Administration, BPAs = blanket purchase agreements, DISA = Defense Information Systems Agency Rapid Access Computing Environment
Reinforcing the Federal Strategic Decision Regarding Cloud Computing Federal Cloud Computing Strategy called out the important role of NIST in promoting standards and security measures for cloud computing: Cloud definitions and guidance. Special Publication (SP) series include [http://www.nist.gov] SP 500 series for Information Technology SP 800 series Computer Security Computer security-related Federal Information Processing Standards (FIPS) Industry/government working groups/committees established for: FedRAMP (Federal Risk Assessment Management Program) for cross-agency C&A with utilization of NIST SP 800-53 (and others) as a tech basis under Federal Information Security Management Act (FISMA) SAJACC (Standards Acceleration to Jumpstart Adoption of Cloud Computing) Reference architecture definition Business use cases definition NIST = National Institute of Standards and Technology FedRAMP is a trademark of the United States General Services Administration in the U.S. and/or other countries. 10
NIST Special Publication Cloud Examples (as of November 2011) SP aimed at accelerating the cloud computing adoption by federal agencies: NIST SP 500-291, Cloud Computing Standards Roadmap (10 AUG 2011) NIST SP 500-292, Cloud Computing Reference Architecture (08 SEP 2011) NIST SP 500-293, US Government Cloud Computing Technology Roadmap (~NOV 2011) Volume I, High-Priority requirements to Further USG Agency Cloud Computing Adoption (Draft) Volume II, Useful Information for Cloud Adopters (Draft) Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions (Draft) NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations (29 JUN 2010) NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations (SEP 2011) NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing (Draft, JAN 2011) NIST SP 800-145, The NIST Definition of Cloud Computing (SEP 2011) NIST SP 800-146, Cloud Computing Synopsis and Recommendations (Draft, MAY 2011) NIST = National Institute of Standards and Technology SP = special publication 11
Cloud Computing Reference Architecture (SP 500-292 - SEP 2011 ) Source: http://collaborate.nist.gov/twiki-cloud-computing/pub/cloudcomputing/referencearchitecturetaxonomy/nist_sp_500-292_-_090611.pdf 12
Federal Information Security Management Act (FISMA) Comprehensive framework to protect government information, operations and assets against natural or manmade threats Many federal agencies stipulate FISMA certification as a requirement for their IT solutions Certification and accreditation are confirmed by the General Services Administration Consolidates many security requirements and guidance into an overall framework) SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} Security category LOW limited MODERATE serious HIGH catastrophic Requires executive agencies within the federal government to Plan, assign, review, authorize FISMA has three main sections: Reporting requirement Independent evaluation Corrective action plan SP 800-53A SP 800-37 SP 800-37 SP 800-53A Security Control Monitoring System Authorization Security Control Assessment FIPS 199 SP 800-60 SP 800-70 Security Categorization Security Control Implementation FIPS 200 SP 800-53 SP 800-53 SP 800-30 SP 800-18 Security Control Selection Security Control Supplement Security Control Documentation 13 FIPS = Federal Information Processing Standard SP = special publication
Cloud Security Concerns (NIST Working List 02NOV11) NIST_Security_Requirements_for_US_Government_Cloud.pdf 1. Potential Loss of Control/Ownership of Data 2. Data Integration, Privacy Enforcement, Data Encryption 3. Security Concerns are Identified Threats - CSA's Top Threats (7) 4. Data Remanence after de-provisioning 5. Multi Tenant Data Isolation 6. Data Location Requirements (within national borders) 7. Hypervisor Security 8. Audit Data Integrity Protection 9. Ensuring Verification of Subscriber policies (including regulatory needs) through Provider controls 10. Certification/Accreditation Requirements for a given Cloud Service Source: http://collaborate.nist.gov/twiki-cloud-computing/pub/cloudcomputing/cloudsecurity/nist CSA = Cloud Security Alliance NIST = National Institute of Standards and Technology 14
NIST 3-Part Cloud Definition (SP 800-145 SEP 2011) Service Models e.g. = for example 15 Software-as-a-service is access to virtualized applications via thin clients (e.g., Web browser) Platform-as-a-service is access to programming environments and tools Infrastructure-as-a-service is access to an operating environment (e.g., servers, storage, network) Deployment Models Cloud infrastructure operated solely for a single organization; can be third party; onor off-premises Cloud infrastructure shared by multiple organizations with similar mission or interest; can be third party; on-or off-premises Cloud infrastructure is property of the cloud provider and open to everyone Combination of two or more deployment types; enabling portability and cloud bursting Essential Characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity (scale up/down) Measured service
Cost Tradeoffs Between Cost and Security for the Cloud Deployment Models Hybrid Private Community Public Risk 16
IaaS, PaaS, SaaS Stack Ownership Infrastructure As a Service (IaaS) Platform As a Service (PaaS) Software As a Service (SaaS) Business Business Business Applications Applications Applications Cloud Consumer Runtimes Security & Integration Runtimes Security and Integration Runtimes Security and Integration Databases Databases Databases Servers Servers Servers Virtualization Virtualization Virtualization Cloud Provider Server Hardware Server Hardware Server Hardware Storage Storage Storage Networking Networking Networking 17
IaaS, PaaS, SaaS Vendor Examples Service Model Government <<<<<< Commercial <<<<<< Software as a service (SaaS) GSA Apps.Gov Google Apps PayPal ZOHO work online Salesforce Platform as a service (PaaS) Infrastructure as a service (IaaS) Federal Geographic Data Committee (FGDC) & GSA GeoCloud Sandbox Initiative DISA RACE Flexible Payments Service TM (FPS) amazon web services Simple Storage Service (S3) Elastic Compute Cloud (EC2). force.com GoGrid Windows Azure YAHOO! DEVELOPER NETWORK Google App Engine 18 GSA = General Services Administration DISA RACE = Defense Information Systems Agency Rapid Access Computing Environment, Trademark attributions on slide 35
For instance, AWS Recent News September 15, 2011, Amazon company statement Amazon Web Services (AWS ) hosted storage and computing products have achieved FISMA Moderate certification Amazon Web Services now has PCI DSS Level 1 credit card standards, FIPS 140-2, ISO 27001 international security standard, and SAS-70 type II auditing standard certifications, and the HIPAA health data privacy act The configurations and controls required by FISMA Moderate are extensive, according to Amazon, and include third-party audits and process documentation Public-sector customers including Recovery.gov, Treasury.gov and the Federal Register are using the Amazon Elastic Compute Cloud for flexible computing power The company has established a partitioned AWS GovCloud specifically for government customers 19 Can handle data subject to International Traffic in Arms Regulations (ITAR) AWS GovCloud is physically and logically accessible by U.S. persons only Procure cloud computing services from AWS at the FISMA Moderate level using the GSA IaaS BPA (blanket purchase agreement) FISMA = Federal Information Security Management Act PCI DSS = Payment Card Industry Data Security Standard FIPS Federal Information Processing Standard SAS-70 = Statement on Auditing Standards No. 70 HIPAA = Health Insurance Portability and Accountability Act GSA IaaS = General Services Administration Infrastructure as a service ISO is a registered trademark of the International Organization for Standardization in the U.S. and/or other countries. AWS is a registered trademark of Amazon Technologies, Inc. in the U.S. and/or other countries.
Cloud Broker Example Application & Services enstratus Right Scale Cloud Enterprise Management Layer amazon web services DATALINE ServerVault terremark NASA NEBULA Cloud Delivery Layer CLOUD SWITCH CITRIX Eucalyptus Systems, Inc. Xen EMC vcloud Express vmware Cloud Framework & Application Interface Layer Virtualization Layer CISCO BROCADE EMC DELL Sun DELL Sun Data Center Components 20 Trademark attributions on slide 35
Why Government Is Turning to the Cloud? Agility, speed, and flexibility Rapid deployment and change management (Minutes vs. months to provision IT resources) Adaptable to changing/unpredictable business needs Ideal for cyclical or episodic circumstances User self-service capabilities possible Financial benefits Cost savings vs. legacy (some perceived, some real) Pay-as-you-go model reduces financial risk and exposure Move from capital expense (CapEx) to operating expense (OpEx) A natural for green IT and data center consolidation mandates 21
Why Government Is Turning to the Cloud? Simplicity and convenience Easy, on-demand procurement of cloud services promised Encourages use of standardized resources/applications Easy mobile access to applications globally New capabilities New integrated solutions not feasible before Most security risks well mitigated and being addressed by FedRAMP New citizen services opportunities facilitated by wide cloud adoption FedRAMP is a trademark of the United States General Services Administration in the U.S. and/or other countries. 22
Mission Areas for Government Business Use Cases Large egovernment, public, information dissemination mission, and those subject to flash crowds should be among the first adopters (with minimal security risk) A cyclical and seasonal set of requirements (for example, census, IRS, NOAA, DOE, agriculture) Large databases and statistical responsibility requiring large-scale scientific and technical computing resources (largely to be on standby) IRS = Internal Revenue Service NOAA = National Oceanic and Atmospheric Administration DOE = Department of Energy 23
Mission Areas for Government Business Use Cases Episodic requirements which can benefit from rapid, on-demand cloud provisioning Emergency management per the Federal Response Plan with 28 agencies and FEMA International support (for example, Japanese earthquake and tsunami; Middle East crises, etc.) e-filing, complex multi-directional object submission, public collaboration, benefits transfer, and grants management -- egovernment applications 24 FEMA = Federal Emergency Management Agency
Mission Areas for Government Business Use Cases Broad and distributed defense, international, financial, and intelligence responsibility needing to Gather information, collaborate, analyze, visualize, develop situational awareness, and deliver information Also includes mobile delivery Examples: border surveillance, financial market surveillance, environmental monitoring Well-defined communities and regulatory responsibility to adopt a push/pull scenario for secure access to regulated distributed databases Well-defined business functions that can be typically out-sourced and acquired as SaaS, such as HR and financial management (FM) SaaS = software as a service HR = human resources 25
Cross-cutting Business Use Cases Most organizations perform a common set of business functions that are amenable to a cloud-based approach within the four NIST delivery models: Development and test Search and retrieval Records management services and digital notary Information dissemination e-filing electronic submission of documents/data with receipts and validation ( electronic mailroom ) Benefits and grant transfer Collaboration and information sharing Social networking Mobile access/delivery Communications (email and messaging) ediscovery, statistical analysis, and analytics Geospatial services (PAAS) Workflow management Archiving and data storage Document management Backup and recovery and continuity of operations (COOP) Data gathering and situational awareness FOIA support services ITIL and SLA management-as-a-service Managed security services (for example, identity management, penetration testing, persistent PKI, continuous monitoring, intrusion detection, managed endpoint security) NIST = National Institute of Standards and Technology PAAS = platform as a service, FOIA = Freedom of Information Act, SLA = service level agreement ITIL is a registered trademark, and a registered community trademark, of the Minister for the Cabinet and 26 is registered in the U.S. Patent and Trademark Office.
Secure efiling With Records Management and Interchange Across Business Partners Infrastructure-as-a-Service 27
GSA IAAS Provides the Infrastructure for Hosting the BUCs BUCs = business use cases GSA IAAS = General Services Administration infrastructure as a service BPA = blanket purchase agreement 28 https://info.apps.gov/sites/default/files/slicksheet_iaas_mm.pdf
GSA IAAS Provides the Infrastructure for Hosting the BUCs Issues and observations Number of awardees is high Awardees currently striving to achieve FISMA Moderate security assessment via FedRAMP The GSA BPA for IAAS DID NOT provide for system integrator (SI) services, nor any labor services for actual development and migration of agency apps/data/use cases to the cloud IAAS was pure, low-cost, commodity cloud services BPA for servers, storage, and network resources SLAs included but with differences (for example, service availability of 99.5 percent) Agencies are beginning to be inundated and perplexed as to whom to select The hard work still lies ahead regarding WHAT functions and business use cases should they implement (key risks and migration measures) GSA IAAS = General Services Administration infrastructure as a service BUCs = business use cases FISMA = Federal Information Security Management Act BPA = blanket purchase agreement SLAs = service level agreements FedRAMP is a trademark of the United States General Services Administration in the U.S. and/or other countries. 29
NEW: GSA Email as a Service (EAAS) Embeds Many NIST Business Use Cases Even more competitors are expected with $2.5 billion ceiling Now contains applications migration and integration services with 11 labor categories FedRAMP up to FISMA HIGH Many NIST cross-cutting business use cases now incorporated in lots: 30 Email and collaboration ediscovery and searching Archiving, storage, backup and restore services Social networking (ala Web page development) Records management services Mobile delivery Five service offerings: Lot 1: Email-as-a-Service (EAAS) Lot 2: Office Automation Lot 3: Electronic Records Management Lot 4: Migration Services Lot 5: Integration Services Four categories of cloud computing: Government community cloud Provider-furnished equipment private cloud Secret enclave Public cloud GSA = General Services Administration NIST = National Institute of Standards and Technology FISMA = Federal Information Security Management Act FedRAMP is a trademark of the United States General Services Administration in the U.S. and/or other countries.
NEW: GSA Email-as-a-Service Update ( 22 NOV 2011 ) General Services Administration (GSA) reopens cloud email RFQ as of Tuesday, 11/22/2011, 3:45 p.m. Eastern Time GSA now: Better defines government community cloud as a multi-tenant cloud offering limited exclusively to United States federal, state, local and tribal governments with registered.gov or.mil domain addresses Asks for a designated chief information security officer and an acceptable use policy Asks for location of their data centers Calls for encrypted data to use the designated standards for data "at rest" and "in transit Calls for connection to the agency's Trusted Internet Connection gateway The cloud computing contract has a ceiling of $2.5 billion over five years. Agencies are waiting to use the blanket purchase agreement. The Office of Management and Budget said earlier this year that 15 agencies were ready to move 950,000 mail boxes to the cloud. 31
Observations and Final Thoughts NIST business use cases are viable for implementation in a cloud. Several implementations already exist as exemplars with lessons learned Many organizations are beginning with a private cloud a safe but less costeffective starting point. Many IT organizations view a cloud computing roadmap as a technology implementation rather than a change agent for business processes. They need to partner with the CFO and other internal stakeholders to deliver business process value first and foremost More of a business transformation than a technology revolution An enlightened design can securely integrate internal and external resources learn and appreciate the standards especially security and interoperability NIST = National Institute of Standards and Technology CFO = Chief Financial Officer 32
Observations and Final Thoughts The public cloud will become more secure and less risky as time goes on. Virtually every organization has something like information dissemination or e- learning that can be a test case for the public cloud Besides, you can always encrypt and store the keys in your trusted private environment Community clouds will initially form around classes of users. Over time, however, communities will align to feature certain capabilities (like financial management providers) in clouds optimized to provide that kind of service. Prescient organizations will redefine the role of the IT department as part of a move to cloud computing. Personnel will need training and eventual redeployment to harness talent and achieve efficiencies. 33
Thank You James J Fanning, Ph.D. SAIC Chief Engineer and Vice President Enterprise and Mission Solutions Business Unit James.J.Fanning@ (719) 310-6049 34
Trademark Attributions Amazon Web Services and Flexible Payments Service are trademarks or registered trademarks of Amazon Technologies, Inc. in the U.S. and/or other countries. Brocade is a registered trademark of Brocade Communications Systems, Inc. in the U.S. and/or other countries. Cisco is a registered trademark of Cisco Technology, Inc. in the U.S. and/or other countries. Citrix and Xen are registered trademarks of Citrix Systems, Inc. in the U.S. and/or other countries. The CloudShield logo is a registered trademark of CloudShield Technologies (an SAIC Company) in the U.S. and/or other countries. CloudSwitch is a registered trademark of CloudSwitch, Inc. in the U.S. and/or other countries. Dell is a registered trademark of Dell Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation in the U.S. and/or other countries. enstratus is a trademark of enstratus Networks LLC in the U.S. and/or other countries. GoGrid is a registered trademark of GoGrid, LLC in the U.S. and/or other countries. Google is a registered trademark of Google Inc. in the U.S. and/or other countries. NEBULA is a registered trademark of the National Aeronautics and Space Administration in the U.S. and/or other countries. PayPal is a registered trademark of PayPal, Inc. in the U.S. and/or other countries. Right Scale is a registered trademark of RightScale, Inc. in the U.S. and/or other countries. Salesforce and force.com are registered trademarks of salesforce.com, inc. in the U.S. and/or other countries. The SAIC logo is a registered trademark of Science Applications International Corporation in the U.S. and/or other countries. ServerVault is a registered trademark of ServerVault Corp. in the U.S. and/or other countries. Sun is a registered trademark of Oracle America, Inc. in the U.S. and/or other countries. VCloud and VMware are registered trademarks of VMware, Inc. in the U.S. and/or other countries. Terremark is a trademark of Terremark Trademark Holdings, Inc. in the U.S. and/or other countries. Windows Azure is a trademark of Microsoft Corporation in the U.S. and/or other countries. Yahoo! Is a registered trademark of Yahoo! Inc. in the U.S. and/or other countries. ZOHO is a registered trademark of ZOHO Corporation in the U.S. and/or other countries. 35